This presentation deals with insights on how an offshore IT organization has to get ready to align with General Data Protection Regulation issued by European union
Effectively Troubleshoot 9 Types of OutOfMemoryError
GDPR – Readiness in IT offshore organization
1. GDPR – Readiness in IT
Offshore organizations
Vishnu varthanan Moorthy
17 Dec 2017
2. IsGDPR a Fear
Factor? GDPR intention is to bring better compliance, transparency and control over Personal
data.
Fear: upto 4% of annual turnover of Enterprise or upto 20 million Euros – whichever is
higher.
Reality – In 99.9% cases there were never a Penalty issued by Commission in last
year (with existing directive) out of 17100 + cases only 16 of them levied with fine.
Fear is unjustified but Focus is!
GDPR – General Data Protection Regulations is intend to bring a) Control
back to Data Subject (natural person) on data b) common regulation across
EU states and there by simplifying the rules and setting up governance
structures c) Support digitization with strengthened data protection
requirements d) Build Transparency in data handling e) better Control over
data breaches.
GDPR Repeals Directive 95/46/EC is repealed with effect from 25 May 2018.
3. Governance of
GDPR
EU Parliament/ EU Council
Information Commission Board
SupervisoryAuthority – Every EU country
Data Protection Authority
Data Subject
Main Data
Controller
Data Processor
Joint Data
Controller
Sub Processor
Data Protection Officer Data Protection Officer
Data Protection Officer
Data Protection Officer
Third Country
Processor
Data Protection Officer
4. What isGDPR
Scope?
Scope:
If Data Subject (natural Person) belongs to EU/resides habitually in
EU and its identifiable data is controlled/processed/monitored by
anyone within EU/third countries (as per contract).
Few third countries where protection by national condition/law creates a risk/conflict, the
board will list them on their site.
If the Data Controller or Processor has establishment within EU.
Exclusion for Public agencies, Courts and others with specific provision listed
If the EU data subject behavior is monitored by a controller or not
established in the Union, but by virtue of public international law.
5. Definitions
Data Subject: An identifiable natural person is one who can be identified, directly or indirectly, in particular by
reference to an identifier such as a name, an identification number, location data, an online identifier or to one
or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of
that natural person;
Controller: A natural or legal person, public authority, agency or other body which, alone or jointly with
others, determines the purposes and means of the processing of personal data; where the purposes and
means of such processing are determined by Union or Member State law, the controller or the specific criteria
for its nomination may be provided for by Union or Member State law;
Processor:A natural or legal person, public authority, agency or other body which processes personal data on
behalf of the controller;
Processing : Any operation or set of operations which is performed on personal data or on sets of personal
data, whether or not by automated means, such as collection, recording, organisation, structuring, storage,
adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise
making available, alignment or combination, restriction, erasure or destruction;
Reference Article 4 in Chapter 1
6. GDPR
Structure
11 Chapters with 99 Articles, supported with 173 Recitals
Ch1: General Provisions (4)
Ch2: Principles (7)
Ch3: Rights of Data Subject
(12)
Ch4:Controller and Processor
(19)
Ch5:Transfer of Personal data
to third countries or
International organizations (7)
Ch6: Independent Supervising
Authorities (9)
Ch7:Cooperation and
Consistency (17)
Ch8:Remedies , liabilities and
Penalties (7)
Ch9: Provisions related to
Specific Processing Situations
(7)
Ch 10: Delegated Acts and
ImplementingActs (2)
Ch11: Final Provisions (6)
Focus Area for IT Organizations – Data Management &
Protection in Controlling, Processing
Cooperation with Data Protection
Authorities
Remedies and Penalties on Severe Breach
7. GDPR is
related to
information
security?
GDPR is all about identifiable Personal Data of a natural person
GDPR is not about Confidential Business data, Financial data, Operations data
which is excluding personal reference to it.
Information Security scope of coverage of Data is larger and covers all the listed
and more than this. It also covers Personal data controlled/processed within an
entity.
What it is?
What it is not?
Data Protection the FunctionalView: Functional thinking over data acquiring,
storing, processing, analyzing/using, destruction is required.Where information
security has less focus on it.
Data SpecificOperations oriented to Data Subject: Data Pseudonymizing,
Traceability, availability, deletion is possible anytime with data subject having a
Say. Information Security is more business process oriented and control ability for
data subject is not a focus.
8. What can be a
Personal Data?
Personal data means any information relating to an identified or
identifiable natural person (‘data subject’); an identifiable natural
person is one who can be identified, directly or indirectly, in particular
by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to
the physical, physiological, genetic, mental, economic, cultural or social
identity of that natural person;
Personal data needs consent before processing. Consent can’t be
automatic and has to be clear in receiving of consent.
A natural person may ask the Personal data can undergo
rectification, to erase, to restrict further processing.
Any data which can identify a natural person with respect to
behavior, location, economically, health/genetic, religious, political,
interests and other private information can be identified as
personal data. High Sensitive Data to be handled with more care.
9. What Role an
Offshore
Organization
Play with
GDPR?
EU Personal Data from Main
Establishment/Other Establishments
– BusinessConnect
EUClient Personal data – Business
Contacts
EU User data – Specific to
Engagements Processing
EU Personal Data from Main
Establishment/Other Establishments
- Processing
Ex: Name, phone, working place, picture,
etc
Ex: Work info processing, Physical
Movement access monitoring, etc
Ex: Client Email , signature, name, phone,
address, picture, etc
Test Data
Production data
Service Desk
Business Process Outsourcing
Monitoring Logs, Patterns
Embbeded Systems, IOT
Identifier data, Personal device data,
Relationship data, Demography
data,Personal Interest Data,
Communication, Content, Financial,
Health, Activities, Context
10. Can anyone
Certify you for
GDPR?
No Individual Certification Scheme ExistToday- All are unofficial and not needed
for GDPR ;
No Organizational Certification Scheme ExistToday- not needed for GDPR ;
Yes, Certification and Accreditation may Come from the Board and there is
provision – Chapter 4 , Article 42 and 43
These Certification may be valid for 3Years
Certifications are “Voluntary” in nature and they don’t cover you from any actual
breaches
How Do you demonstrate GDPR Compliance today?
Demonstration is only by action and no need of certification. However some
large organizations use ISO27001, ISO27017, ISO27018, ISO 22301 & SOC Reports
–These are the only relevant Certification options Ex: AWS, Google, etc
11. Data Lifecycle
Data
Identification
Data
Collection
Data
Processing &
Storage
Data Disposal
• Process Involved
• Input data
• Source of data
• Detail of Data Controller (& processor)
• Purpose of data
• Data Classification
• Supplier of Data/Provider
• Frequency of Collection
• Mode of Supply
• Terms of Collection
• Frequency of Processing
• Terms of processing
• Processing Role and Outcome
• Storage of Data & Retrieval of Data
• Unit wise/state/entity wise processing
• Data Expiry/Criteria for deletion
• Mode of Disposal
• Frequency of Disposal
• Validation on Disposal
Integrity Availability Confidentiality Security
Transparency
12. Preparation for
anOffshore IT
–Updating
yourSystem
Offshore Focus on Data Protection/ GDPRCompliance –
Management Direction
Data Protection Policy
Offshore Data Protection
Officer
Data privacy/protection Impact Assessment
Define Data Protection Controls
Onsite Data Protection
officer
SecurityControls
Data Protection
Controls
Processing
Protection
Domain
Types of
Service
Tools & InfrastructureAlignment
Types of
Data
EU Data Protection
Authority
Clients (
Data
Controller)
BusinessUnit-
Practices &Tool Focus
DPTraining Focus
Compliance System
(DP,ISO & SOC)
BindingCorporate
Rules (BCR) or Data
Protection clause in
Every Contract
Offshore Data Breach Reporting System ( Incident Reporting)
13. Complying
GDPR in
Projects
Understanding Contractual Clauses on Data Protection & GDPRTraining –
Sensitivity Classification of Project
Develop Project Plan with Data Protection, policy adherence, needed tools,
controls, practices
Identify Data &
Classify
Check if Org. Level
Controls are
Enough?
AdditionalControl
to be added
ConductTraining Program or Ensure all resources are trained in Data Protection
Training
Establish Configuration
System aligned for Data CIA
Use applicable Data
Encryption &
pseudonymizing
Techniques
ManageAccess Control
to Data
Conduct data audit ( can be
part of ConfigAudit)
Assign
Responsibility
for Data
Management
Check Backup &
Restoration & BCP
Data Flow Checking
Tools/TransparencyTool
Self Evaluation Checklist on Data Protection in Project
Data Breach Reporting Mechanism
ProjectlevelPractices
14. Implementing
GDPR with your
Existing
Cybersecurity/
info
security/BCP/
SOC
Corporate Changes
Binding Corporate Rules
Data ProtectionGovernance Structure
Data Protection Policies
Business Development & Contractual
Materials
Offshore Changes
Data ProtectionOfficer & Unit Level
Officers
Data Protect Impact Assessment & New
Controls
Aids of Data Protection PlanningISMS/ CybersecurityTeams
Extension of Policy & Procedure of Data
Specific pointers
Involvement in Assessments
Incident Report Handling with DPO
Update new Controls
QMSTeam
Project Level Data Protection Practice
Planning
Policies and procedures application in
Project- Process Updates
Roles and Responsibility Update
Configuration & project Security Practices
Business Continuity Practices
BCPTeam
Strategy update with Data Sensitivity/
impact based Continuity
Controls on Data Protection @ DRTimes
BUTeams
Monitor Data Protection Practices
Client Connect on Data Protection
ITTeam
NewTools/ Infra alignment with GDPR
Evaluation
SOCControlsISO29100:2011Application
ForCloud–ISO27017&
ISO27018
15. Steps involved
in Preparing
your
Organization
Assess
•Data Profiling & Mapping
•Impact and Threats
•Corporate Strategies
•Establish Corporate
Policies
•Establish Roles
Define
•Update Controls
•Update responsibilities
•Update Infra System &
Practices
•Define Communication
with DPO/Client/Agencies
Implement
• Train Employees
• Train Sub contractors
• IT Function &Facilites
implementation
• ISMS implementation
• Data Protection Aids usage
• BCP Support
• Project Implementation
with supporting aids
Evaluate & Improve
• Perform Data Protection
Audits
• Perform Self reviews
• Monitor Data Breaches
• Support Data controller &
DPA
•Realign Internal controls
•Assess EU given data assets
and align with it- regularly
16. Where do I
search for
GDPR
Resources?
For All resources related to GDPR, start looking at,
https://www.eugdpr.org/
To know more on Personal Data protection and Data Protection Authorities
http://ec.europa.eu/justice/data-protection/index_en.htm
GDPR Text , you can download from
http://ec.europa.eu/justice/data-protection/reform/files/regulation_oj_en.pdf
For Easy readability , refer online access
https://gdpr-info.eu/
More news on GDPR and application from experts
http://www.itpro.co.uk/general-data-protection-regulation-gdpr/in-depth